Thursday, March 28, 2013

Hacked off

This is not much to do with radio. But I know that many of you have your own websites and will probably find this of interest.

A couple of days ago I discovered that one of my websites had been hacked. Not G4ILO's Shack, but the other one which still continues to earn us a little bit despite receiving only the barest maintenence in the last two years.

I opened one of the pages and instead of the expected content a server error message appeared. My first thought was that the hosting company had changed some setting so I fired off an urgent support ticket. They responded saying that some of my files had been "compromised". Sure enough when I looked at one of the files there was some code I didn't recognize. This code referred to a file that had been added which was zero length, and that was causing a 500 server error. I deleted the file and every access now caused a 404 "file not found" error. Eventually I found that the .htaccess file had been hacked and some code added which was being executed for every single file access.

The timestamp showed that the .htaccess had been modified a week ago on 19th March. Because of the web browser caching we had not noticed the error messages any earlier. Google had visited the site in that time however, and had received a server error for every page it tried to access. So now the site had dropped out of Google. Thanks a lot, hackers.

Further investigation revealed that the hackers had modified almost every .php file on the server. They had inserted some code at the beginning of every file, apparently meant to disable error reporting. They had inserted some other code into one .php file that was included in every page. However, something in what they had done had the effect of disabling PHP processing with the result that the PHP code was sent to the browser instead of being executed.

To cut a long story short, after trying to repair the hacked files individually, I decided to restore the site from the oldest backup the hosting company held. I had a little bit of luck: the oldest backup was taken on 19th March, the day of the attack, but it had run before the attack occurred so I was able to restore the site with every file as it was originally. A day later and that backup would have gone and I would have been unable to restore the site without a lot of manual work. But the damage had been done as far as Google was concerned.

If you are expecting a lesson to be learned as a result of this story, I don't have one, other than if you want a quiet life stick to blogging, don't try to run your own website. If you do, visit your site every day and check for changes.

I have no idea how the hacker managed to gain access to the files on my shared web server. If they did it once they could do it again. I don't believe that my passwords were compromised as they are randomly-generated, but I changed them anyway. Altogether this episode lasted for several stressful hours - time that I would much rather have spent trying out the latest WSJT-X program.